Florida Senate - 2014 COMMITTEE AMENDMENT
Bill No. PCS (290876) for SB 928
Ì693796cÎ693796
LEGISLATIVE ACTION
Senate . House
Comm: RCS .
03/13/2014 .
.
.
.
—————————————————————————————————————————————————————————————————
—————————————————————————————————————————————————————————————————
following:
1 Senate Amendment (with title amendment)
2
3 Delete lines 987 - 1189
4 and insert:
5 Section 11. Section 282.318, Florida Statutes, is amended
6 to read:
7 282.318 Enterprise Security of data and information
8 technology.—
9 (1) This section may be cited as the “Enterprise Security
10 of Data and Information Technology Security Act.”
11 (2) As used in this section, the term “state agency” has
12 the same meaning as provided in s. 282.0041, except that the
13 term includes the Department of Legal Affairs, the Department of
14 Agriculture and Consumer Services, and the Department of
15 Financial Services.
16 (2) Information technology security is established as an
17 enterprise information technology service as defined in s.
18 282.0041.
19 (3) The Agency for State Enterprise Information Technology
20 is responsible for establishing standards and processes
21 consistent with generally accepted best practices for
22 information technology security and adopting rules that
23 safeguard an agency’s data, information, and information
24 technology resources to ensure availability, confidentiality,
25 and integrity and publishing guidelines for ensuring an
26 appropriate level of security for all data and information
27 technology resources for executive branch agencies. The agency
28 shall also perform the following duties and responsibilities:
29 (a) Develop, and annually update by February 1, a statewide
30 an enterprise information technology security strategic plan
31 that includes security goals and objectives for the strategic
32 issues of information technology security policy, risk
33 management, training, incident management, and disaster recovery
34 survivability planning.
35 (b) Develop and publish for use by state agencies an
36 information technology security framework that, at a minimum,
37 includes enterprise security rules and published guidelines and
38 processes for:
39 1. Establishing asset management procedures to ensure that
40 an agency’s information technology resources are identified and
41 managed consistent with their relative importance to the
42 agency’s business objectives.
43 2. Using a standard risk assessment methodology that
44 includes the identification of an agency’s priorities,
45 constraints, risk tolerances, and assumptions necessary to
46 support operational risk decisions.
47 3.1. Completing comprehensive risk assessments analyses and
48 information technology security audits and submitting completed
49 assessments and audits to the Agency for State Technology
50 conducted by state agencies.
51 4. Identifying protection procedures to manage the
52 protection of an agency’s information, data, and information
53 technology resources.
54 5. Establishing procedures for accessing information and
55 data to ensure the confidentiality, integrity, and availability
56 of such information and data.
57 6. Detecting threats through proactive monitoring of
58 events, continuous security monitoring, and defined detection
59 processes.
60 7.2. Responding to information technology suspected or
61 confirmed information security incidents, including suspected or
62 confirmed breaches of personal information containing
63 confidential or exempt data.
64 8. Recovering information and data in response to an
65 information technology security incident. The recovery may
66 include recommended improvements to the agency processes,
67 policies, or guidelines.
68 9.3. Developing agency strategic and operational
69 information technology security plans required pursuant to this
70 section, including strategic security plans and security program
71 plans.
72 4. The recovery of information technology and data
73 following a disaster.
74 10.5. Establishing the managerial, operational, and
75 technical safeguards for protecting state government data and
76 information technology resources that align with the state
77 agency risk management strategy and that protect the
78 confidentiality, integrity, and availability of information and
79 data.
80 (c) Assist state agencies in complying with the provisions
81 of this section.
82 (d) Pursue appropriate funding for the purpose of enhancing
83 domestic security.
84 (d)(e) In collaboration with the Cybercrime Office of the
85 Department of Law Enforcement, provide training for state agency
86 information security managers.
87 (e)(f) Annually review the strategic and operational
88 information technology security plans of executive branch
89 agencies.
90 (4) To assist the Agency for Enterprise Information
91 Technology in carrying out its responsibilities, Each state
92 agency head shall, at a minimum:
93 (a) Designate an information security manager to administer
94 the information technology security program of the state agency
95 for its data and information technology resources. This
96 designation must be provided annually in writing to the Agency
97 for State Enterprise Information Technology by January 1. A
98 state agency’s information security manager, for purposes of
99 these information security duties, shall report directly to the
100 agency head.
101 (b) Submit to the Agency for State Enterprise Information
102 Technology annually by July 31, the state agency’s strategic and
103 operational information technology security plans developed
104 pursuant to the rules and guidelines established by the Agency
105 for State Enterprise Information Technology.
106 1. The state agency strategic information technology
107 security plan must cover a 3-year period and, at a minimum,
108 define security goals, intermediate objectives, and projected
109 agency costs for the strategic issues of agency information
110 security policy, risk management, security training, security
111 incident response, and disaster recovery survivability. The plan
112 must be based on the statewide enterprise strategic information
113 technology security strategic plan created by the Agency for
114 State Enterprise Information Technology and include performance
115 metrics that can be objectively measured to reflect the status
116 of the state agency’s progress in meeting security goals and
117 objectives identified in the agency’s strategic information
118 security plan. Additional issues may be included.
119 2. The state agency operational information technology
120 security plan must include a progress report that objectively
121 measures progress made towards for the prior operational
122 information technology security plan and a project plan that
123 includes activities, timelines, and deliverables for security
124 objectives that, subject to current resources, the state agency
125 will implement during the current fiscal year. The cost of
126 implementing the portions of the plan which cannot be funded
127 from current resources must be identified in the plan.
128 (c) Conduct, and update every 3 years, a comprehensive risk
129 assessment analysis to determine the security threats to the
130 data, information, and information technology resources of the
131 agency. The risk assessment must comply with the risk assessment
132 methodology developed by the Agency for State Technology and
133 analysis information is confidential and exempt from the
134 provisions of s. 119.07(1), except that such information shall
135 be available to the Auditor General, and the Agency for State
136 Enterprise Information Technology, the Cybercrime Office of the
137 Department of Law Enforcement, and, for state agencies under the
138 jurisdiction of the Governor, the Chief Inspector General for
139 performing postauditing duties.
140 (d) Develop, and periodically update, written internal
141 policies and procedures, which include procedures for reporting
142 information technology security incidents and breaches to the
143 Cybercrime Office of the Department of Law Enforcement and
144 notifying the Agency for State Enterprise Information Technology
145 when a suspected or confirmed breach, or an information security
146 incident, occurs. Such policies and procedures must be
147 consistent with the rules, and guidelines, and processes
148 established by the Agency for State Enterprise Information
149 Technology to ensure the security of the data, information, and
150 information technology resources of the agency. The internal
151 policies and procedures that, if disclosed, could facilitate the
152 unauthorized modification, disclosure, or destruction of data or
153 information technology resources are confidential information
154 and exempt from s. 119.07(1), except that such information shall
155 be available to the Auditor General, the Cybercrime Office of
156 the Department of Law Enforcement, and the Agency for State
157 Enterprise Information Technology, and, for state agencies under
158 the jurisdiction of the Governor, the Chief Inspector General
159 for performing postauditing duties.
160 (e) Implement managerial, operational, and technical
161 appropriate cost-effective safeguards established by the Agency
162 for State Technology to address identified risks to the data,
163 information, and information technology resources of the agency.
164 (f) Ensure that periodic internal audits and evaluations of
165 the agency’s information technology security program for the
166 data, information, and information technology resources of the
167 agency are conducted. The results of such audits and evaluations
168 are confidential information and exempt from s. 119.07(1),
169 except that such information shall be available to the Auditor
170 General, the Cybercrime Office of the Department of Law
171 Enforcement, and the Agency for State Enterprise Information
172 Technology, and, for agencies under the jurisdiction of the
173 Governor, the Chief Inspector General for performing
174 postauditing duties.
175 (g) Include appropriate information technology security
176 requirements in the written specifications for the solicitation
177 of information technology and information technology resources
178 and services, which are consistent with the rules and guidelines
179 established by the Agency for State Enterprise Information
180 Technology in collaboration with the Department of Management
181 Services.
182 (h) Provide information technology security awareness
183 training to all state agency employees and users of the agency’s
184 communication and information resources concerning information
185 technology security risks and the responsibility of employees
186 and users to comply with policies, standards, guidelines, and
187 operating procedures adopted by the state agency to reduce those
188 risks. The training may be provided in collaboration with the
189 Cybercrime Office of the Department of Law Enforcement.
190 (i) Develop a process for detecting, reporting, and
191 responding to threats, breaches, or information technology
192 security suspected or confirmed security incidents that are,
193 including suspected or confirmed breaches consistent with the
194 security rules, and guidelines, and processes established by the
195 Agency for State Enterprise Information Technology.
196 1. All information technology Suspected or confirmed
197 information security incidents and breaches must be immediately
198 reported to the Agency for State Enterprise Information
199 Technology.
200 2. For information technology security incidents involving
201 breaches, state agencies shall provide notice in accordance with
202 s. 817.5681 and to the Agency for Enterprise Information
203 Technology in accordance with this subsection.
204 (5) Each state agency shall include appropriate security
205 requirements in the specifications for the solicitation of
206 contracts for procuring information technology or information
207 technology resources or services which are consistent with the
208 rules and guidelines established by the Agency for Enterprise
209 Information Technology.
210 (5)(6) The Agency for State Enterprise Information
211 Technology shall may adopt rules relating to information
212 technology security and to administer the provisions of this
213 section.
214
215 ================= T I T L E A M E N D M E N T ================
216 And the title is amended as follows:
217 Delete lines 33 - 36
218 and insert:
219 to the Southwood Shared Resource Center; amending s.
220 282.318, F.S.; changing the name of the Enterprise
221 Security of Data and Information Technology Act;
222 defining the term “agency” as used in the act;
223 requiring the Agency for State Technology to establish
224 and publish certain security standards and processes;
225 requiring state agencies to perform certain security
226 related duties; requiring the agency to adopt rules;
227 conforming provisions;